From: Eloy Pérez González Date: Thu, 28 Apr 2022 10:47:43 +0000 (+0200) Subject: krb5: use req_type instead of msg_type to get request type X-Git-Tag: suricata-7.0.0-rc2~165 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ed91d689f2538470f6bffd478ec69f130bb1cf8a;p=thirdparty%2Fsuricata.git krb5: use req_type instead of msg_type to get request type --- diff --git a/rust/src/krb/krb5.rs b/rust/src/krb/krb5.rs index 42028794cf..69c89461d2 100644 --- a/rust/src/krb/krb5.rs +++ b/rust/src/krb/krb5.rs @@ -82,6 +82,9 @@ pub struct KRB5Transaction { /// Error code, if request has failed pub error_code: Option, + /// Message type of request. For using in responses. + pub req_type: Option, + /// The internal transaction id id: u64, @@ -149,6 +152,11 @@ impl KRB5State { if let Ok((_,kdc_rep)) = res { let mut tx = self.new_tx(direction); tx.msg_type = MessageType::KRB_AS_REP; + if self.req_id > 0 { + // set request type only if previous message + // was a request + tx.req_type = Some(MessageType(self.req_id.into())); + } tx.cname = Some(kdc_rep.cname); tx.realm = Some(kdc_rep.crealm); tx.sname = Some(kdc_rep.ticket.sname); @@ -179,6 +187,11 @@ impl KRB5State { if let Ok((_,kdc_rep)) = res { let mut tx = self.new_tx(direction); tx.msg_type = MessageType::KRB_TGS_REP; + if self.req_id > 0 { + // set request type only if previous message + // was a request + tx.req_type = Some(MessageType(self.req_id.into())); + } tx.cname = Some(kdc_rep.cname); tx.realm = Some(kdc_rep.crealm); tx.ticket_etype = Some(kdc_rep.ticket.enc_part.etype); @@ -201,6 +214,11 @@ impl KRB5State { let res = krb5_parser::parse_krb_error(i); if let Ok((_,error)) = res { let mut tx = self.new_tx(direction); + if self.req_id > 0 { + // set request type only if previous message + // was a request + tx.req_type = Some(MessageType(self.req_id.into())); + } tx.msg_type = MessageType::KRB_ERROR; tx.cname = error.cname; tx.realm = error.crealm; @@ -268,6 +286,7 @@ impl KRB5Transaction { etype: None, ticket_etype: None, error_code: None, + req_type: None, id, tx_data: applayer::AppLayerTxData::for_direction(direction), }; diff --git a/rust/src/krb/log.rs b/rust/src/krb/log.rs index 40fc19d122..427876ad7e 100644 --- a/rust/src/krb/log.rs +++ b/rust/src/krb/log.rs @@ -24,8 +24,15 @@ fn krb5_log_response(jsb: &mut JsonBuilder, tx: &mut KRB5Transaction) -> Result< { match tx.error_code { Some(c) => { - jsb.set_string("msg_type", "KRB_ERROR")?; - jsb.set_string("failed_request", &format!("{:?}", tx.msg_type))?; + jsb.set_string("msg_type", &format!("{:?}", tx.msg_type))?; + if let Some(req_type) = tx.req_type { + jsb.set_string("failed_request", &format!("{:?}", req_type))?; + } else { + // In case we capture the response but not the request + // we can't know the failed request type, since it could be + // AS-REQ or TGS-REQ + jsb.set_string("failed_request", "UNKNOWN")?; + } jsb.set_string("error_code", &format!("{:?}", c))?; }, None => { jsb.set_string("msg_type", &format!("{:?}", tx.msg_type))?; },